CVE-2025-14611 HIGH

CVE-2025-14611: Gladinet CentreStack and TrioFox Hard Coded AES Keys

Vendor Gladinet
Product CentreStack and TrioFox
KEV Status Known Exploited
Published December 12, 2025
Last update February 26, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:A

What the vulnerability does

01Description

Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

December 12, 2025 CVE published
February 26, 2026 Record updated